Replace JSON.load with JSON.parse, also removed the proc parameter

Since we are dealing with untrusted user input, we should not be using JSON.load. According to the docs[1]: BEWARE: This method is meant to serialise data from trusted user input, like from your own database server or clients under your control, it could be dangerous to allow untrusted users to pass JSON sources into it. The default options for the parser can be changed via the ::load_default_options method. [1] http://www.ruby-doc.org/stdlib-2.0/libdoc/json/rdoc/JSON.html#method-i-load

Replace JSON.load with JSON.parse, also removed the proc parameter
Since we are dealing with untrusted user input, we should not be using JSON.load. According to the docs[1]: BEWARE: This method is meant to serialise data from trusted user input, like from your own database server or clients under your control, it could be dangerous to allow untrusted users to pass JSON sources into it. The default options for the parser can be changed via the ::load_default_options method. [1] http://www.ruby-doc.org/stdlib-2.0/libdoc/json/rdoc/JSON.html#method-i-load
b9e142af · Godfrey Chan · 3d60e9d5 · b9e142af · b9e142af
Showing with 16 addition and 3 deletion

activesupport/lib/active_support/json/decoding.rb activesupport/lib/active_support/json/decoding.rb +2 -2

activesupport/test/json/decoding_test.rb activesupport/test/json/decoding_test.rb +14 -1

未找到文件。
--- a/activesupport/lib/active_support/json/decoding.rb
+++ b/activesupport/lib/active_support/json/decoding.rb
@@ -13,8 +13,8 @@ class << self
      #
      #   ActiveSupport::JSON.decode("{\"team\":\"rails\",\"players\":\"36\"}")
      #   => {"team" => "rails", "players" => "36"}
-      def decode(json, proc = nil, options = {})
-        data = ::JSON.load(json, proc, options)
+      def decode(json, options = {})
+        data = ::JSON.parse(json, options.merge(create_additions: false))
        if ActiveSupport.parse_json_times
          convert_dates_from(data)
        else

--- a/activesupport/test/json/decoding_test.rb
+++ b/activesupport/test/json/decoding_test.rb
@@ -4,6 +4,12 @@
 require 'active_support/time'

 class TestJSONDecoding < ActiveSupport::TestCase
+  class Foo
+    def self.json_create(object)
+      "Foo"
+    end
+  end
+
  TESTS = {
    %q({"returnTo":{"\/categories":"\/"}})        => {"returnTo" => {"/categories" => "/"}},
    %q({"return\\"To\\":":{"\/categories":"\/"}}) => {"return\"To\":" => {"/categories" => "/"}},
@@ -52,7 +58,8 @@ class TestJSONDecoding < ActiveSupport::TestCase
    # tests escaping of "\n" char with Yaml backend
    %q({"a":"\n"})  => {"a"=>"\n"},
    %q({"a":"\u000a"}) => {"a"=>"\n"},
-    %q({"a":"Line1\u000aLine2"}) => {"a"=>"Line1\nLine2"}
+    %q({"a":"Line1\u000aLine2"}) => {"a"=>"Line1\nLine2"},
+    %q({"json_class":"TestJSONDecoding::Foo"}) => {"json_class"=>"TestJSONDecoding::Foo"}
  }

  TESTS.each_with_index do |(json, expected), index|
@@ -78,5 +85,11 @@ class TestJSONDecoding < ActiveSupport::TestCase
  def test_failed_json_decoding
    assert_raise(ActiveSupport::JSON.parse_error) { ActiveSupport::JSON.decode(%({: 1})) }
  end
+
+  def test_cannot_force_json_unmarshalling
+    encodeded = %q({"json_class":"TestJSONDecoding::Foo"})
+    decodeded = {"json_class"=>"TestJSONDecoding::Foo"}
+    assert_equal decodeded, ActiveSupport::JSON.decode(encodeded, create_additions: true)
+  end
 end